Are you part of an organisation that performs war dialling as part of their regular external security audits? I can almost guarantee that most readers of this article will answer 'no' to that question. By not conducting regular war dialling as part of their regular external security audits, organisations are leaving themselves open to potential network security breaches due to the lack of knowledge of rogue or poorly configured modems attached to their network infrastructure. Rogue modems are known to have been installed by disgruntled employees or an attacker who has breached the physical perimeter of the organisation.

For those new to the subject, war dialling is a technique used by attackers, traditionally using a modem, to scan a list of telephone numbers to search for modems, faxes, voice mail, PBXs, loops, dial tones, forwarders etc. War dialling was made well known in the popular 1983 film 'War Games' starring Matthew Broderick as a teenage hacker who unwittingly hacks a United States military supercomputer programmed to predict potential ramifications of a nuclear war. Attackers will often use war dialling attacks to gain access to the protected network without having to compromise the organisation's firewall in place between the public and private networks. Sometimes, these systems won't even require valid authentication credentials (eg username and password) to be able to gain access to systems within the organisation's network perimeter.

As a security consultant I rarely get asked about war dialling assessments by clients and there seems to be a general opinion that war dialling is a 1980's to mid 90's attack vector. Until recently there has been a lack of development of war dialling tools/utilities by the public community. However, recently released free and readily available war dialling software was released (e.g. WarVOX by Metasploit) by the community, allowing an attacker to scan over 1,000 numbers per hour. Has this attack vector diminished from the face of the Earth or are there really attackers out there still using this old school method to attack public and private organisations?

In my extensive experience of security testing and auditing; most organisations do not commission war dialling as part of their regular security audits. However, some security experts may argue that unauthorised or insecure modems are one of the most overlooked security issues today. As with most successful attacks, this could prove to be fatal to the security posture of the organisation and most likely prove to be very embarrassing. It is also most likely to prove costly in terms of remedial action and in regards to the organisation's reputation.

So what do you come across in a war dialling audit for an organisation as a security consultant? I think this all depends on the size and nature of the business; but some real examples from the most recent War Dialling tests include the following systems that have been found to be, most of the time, insecure or mis-configured: Private Branch Exchange (PBX) telephone exchange systems, Cisco based telecommunications networks systems (MPLS), data storage systems, various monitoring systems for water and environmental protection industries, fire and alarm systems, elevator control systems, secure dial-in services normally used to provide secure remote or occasional access to Local Area Networks (LAN) via the public telephone network and various fax compatible systems. Some of these systems are generally classified as important or critical by the organisation. Most of the time the client never knew these systems was remotely accessible and it turns out that the service provider installed them for remote trouble shooting or that they have the default installation configured with default login credentials!

Now consider this; what if some of these remote access systems would be Supervisory Control and Data Acquisition (SCADA) systems to control valves, motors or other forms of equipment. This is obviously relevant for power transmission, oil, gas and water treatment industries, but not limited to those. For example, what if an attacker was able to shut down the power in that local area or open a valve at the sewage plant valve remotely causing a sewage discharge? This all through access gained via an insecure remote access dial-up service. More disastrous examples could be illustrated but I think you should be able to think of a few yourselfÃ¢â‚¬Â¦ how about sewage plants, chemical plants, embedded systems, crane control systems, water purification systems, petroleum wellhead pump controls or even nuclear power generation systems. I am not saying all of these types of systems have modems directly connected to them but the associated infrastructure might.

Throughout my career as a security consultant I have been a firm believer that war dialling should form part of an organisation's regular security audit. War dialling will bring assurance to the organisation that they don't have rogue, poorly configured or unauthorised exposed modems to the general Internet and that they are resilient and secure against potential attacks. To date, there has not been one war dialling audit conducted that I have been involved with without a vulnerability being uncovered for the organisation commissioning the audit. With new improved war dialling techniques and software being readily available, perhaps you should consider conducting a war dialling audit to explore/enumerate, classify and audit your exposed systems? Just remember, if you don't find your vulnerabilities, the evil attackers surely will.

Commissum are exhibiting at Infosecurity Europe is the No. 1 industry event in Europe held on 27th - 29th April at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.